There’s a quiet shift going on in the business community, one that has the potential of tipping the scales against cyber criminals; and it has nothing to do with AI, machine learning or any other shiny, new technology.
I am referring to the rise of the v-CISO, or virtual chief information security officer. Much like a chief information security officer (CISO), the v-CISO serves alongside an organization’s executive team, engaged in the strategy and execution of a company’s cybersecurity policy. The key difference: the former is an internal role and the latter is an on-demand consultant.
But there’s so much more to it than that.
Hatched from a mounting need for hard-to-find, seasoned security professionals, the v-CISO has swept the industry over the past few years and could make one of the greatest impacts on small- to medium-sized businesses (SMBs) – a sector that has long suffered at the hands of cyber criminals.
The U.S. Small Business Administration states that SMBs represent 99.7 percent of all U.S. businesses and, according to the 2018 Verizon Data Breach Investigation Report, they remain the No. 1 target for cyber-criminals. Yet, most have been underprepared to deal with an attack. Lack of readiness, including understaffing, poor strategic planning and the common misconception that they are not targets, are among the many reasons why.
It wasn’t until a few years ago that the business community as a whole began to take cybersecurity seriously. What changed? A sharp rise in breaches, plus greater awareness and new ratifications of state, federal, and international legislation requiring companies to employ a CISO or data protection officer (DPO), or else.
Unfortunately, companies found out that bringing on a qualified CISO or DPO isn’t that simple. Where are you going to find someone with a comprehensive blend of technical skills and business acumen, along with a decades-long career revolving around risk, assessing risk, identifying risk, presenting risk and unveiling programs to offset that risk? That type of broad cybersecurity experience was – and is – a rarity. In fact, a recent ISACA survey revealed that fewer than 25 percent of cybersecurity job candidates are qualified for the posted job.
Finding talent across the board has been a disaster – and it’s not expected to get much better anytime soon. According to Cybersecurity Ventures, more than 3.5 million jobs are expected to go unfilled by 2021. The fallout continues to put stress on current employees, leading to early career burnout, and forcing companies to place under-qualified personnel in key positions, including the C-suite.
There’s also the matter of retaining talent. According to the Ponemon Institute, senior security executives leave after 30 months on the job. And, even if companies can find viable talent, many organizations can’t afford the six figure price tags necessary to lure and retain that talent.
Enter the v-CISO, an experienced security strategist who understands how security fits into every aspect of the business. By utilizing a risk-based approach, a v-CISO helps a company apply its resources in an effective manner, ensuring all assets are protected accordingly.
Usually employed by a third-party managed security services provider (MSSP), the v-CISO began to fill a need that was long overdue. It wasn’t until about four or five years ago that the role made its way into the mainstream. Eventually, more and more companies began turning to these third-party protectors to strengthen their defenses.
In fact, according to the 2018 Trends in Cybersecurity report, 78 percent of companies that have internal security resources use third parties for their security needs. Meanwhile, a 2017 report from Cybersecurity Insiders revealed that just 47 percent of companies deploy additional security solutions from third parties. While neither report specifically mentions MSSPs or the v-CISO as a service, the sharp increase in third-party utilization from year to year is a clear indicator that enterprises are increasingly turning to outside sources for their security needs.
And, as we look toward the future of cybersecurity, experts agree MSSPs and their flagship v-CISOs will be an integral part of defending the world’s data, especially for the millions of small- to medium-sized businesses in the U.S. that cannot afford to staff full-time security teams.
Steve Morgan, of Cybersecurity Ventures, stated in the 2018-2021 edition of the Cybersecurity Jobs Report, “MSSPs may be cybersecurity’s saving grace.” Moreover, 52 percent of companies plan to invest in MSSPs in the next three years, according to the 2018 Study on Global Megatrends in Cybersecurity. Globally, the MSSP market could surpass $58 billion by 2024.
I agree with Mr. Morgan. Finally, businesses that otherwise couldn’t defend themselves, now have the protection they need – at a fraction of the cost of hiring an internal CISO. A typical in-house CISO can command anywhere from $150,000 to $350,000 per year. But with an MSSP, businesses have access to a v-CISO and, in some cases, an entire team of v-CISOs, at a fraction of the cost.
The economic factor is just the tip of the iceberg. Depending on which firm is hired, the v-CISO represents the best of the industry. They will have likely seen it all – many times over. What does that mean? Think of it like this: one CISO could spend decades at a company and never experience a debilitating attack. On one hand, good for them. However, they’ve never experienced the aftermath of an attack, so they are bound to make mistakes when their company is attacked. A v-CISO, on the other hand, does this stuff day in and day out, which is why MSSPs command top talent. Some of the best minds in cybersecurity work at outside firms because that’s where the action is. In the words of someone before me, “They eat breaches for breakfast.”
However, a v-CISO’s job runs much deeper than incident response or technological know-how. A common misconception among those outside the security field is that cybersecurity is all about technology. Nothing could be further from the truth. In fact, a v-CISO’s job has as much to do with IT as it does with finance, HR, product development, you name it. Why? Because cybersecurity isn’t limited to one department. In order for it to work effectively, every department must work in concert, otherwise everything falls apart.
As a v-CISO, I am helping companies solve real business problems. On any given day, I may be in the trenches with a company’s IT team assisting with a secure network architecture design, in HR working on background screening criteria, or in a board room meeting with the C-suite providing strategic guidance for future business initiatives. I spend a lot of time advising company leaders on many issues, including how to request budget for security, how to properly update the board of directors or how to effectively handle resource coordination. There’s no limit to what a v-CISO does, because it’s our job to know how security impacts every function of the business.
There’s no doubt that the rise of the v-CISO is changing the cybersecurity landscape for the better. It has given millions of companies a fighting chance at navigating a world where cybercrime is as rampant as the common cold. As we look to the future, I am confident the cybersecurity industry will work out the current kinks. I believe we’ll look back on today with pride, knowing it was our generation that turned the table on our adversaries.